StartSSL has suspended issuance of digital certificates and related services following a security breach on 15 June. A trademark of Eddy Nigg’s StartCom, the StartSSL certificate authority is well known for offering free domain validated SSL certificates, but also sells organisation and extended validation certificates.
More than 25 thousand websites in Netcraft’s SSL survey use certificates issued by StartSSL. These are recognised by Internet Explorer, Firefox, Chrome and other mainstream browsers.
StartSSL is not alone in offering free certificates. AffirmTrust recently trumped StartSSL’s one-year certificates with its own offer of free three-year domain validated SSL certificiates. Coincidentally, AffirmTrust announced its launch on the same day as the StartSSL security breach.
StartSSL is also not the only certificate authority to come under attack this year. In March, Comodo came under attack through three of its resellers. By compromising a GlobalTrust website, the so-called ComodoHacker managed to fraudulently issue several valid certificates, including ones for the login pages of Yahoo and Skype. These certificates were subsequently revoked and browser software was updated to explicitly blacklist them.